Scenerio :
Use Groups for multi tenancy (One user working for different organizations) -
Create one group for each org like group_org1, group_org2 etc.
Provide permissions to above groups using group policy (using confidential client authorization tab). Ex :- group_org1 has permission on resource1 and group_org2 has permission on resource2.
Assign above groups to a user , hence user will have 2 groups and, permission on resource1 & resource1.
Now groups fetched for this user will be used as organizations in application.
When selected org1 then application will work according to the permissions attached to group org1 i.e. permission only on resource1.
Question :
As of now if I try to fetch authorization permissions for a user then keycloak will give me combined permissions attached to both the groups i.e. on resource1 and resource2 . I need to fetch permissions attached to single group using keycloak rest-api. (after fetching this specific permissions I can authorize user in the application for given resource)
Hope I made my question a bit clear.
Related
I want to automatize creating users and adding permissisons. Is it possible in grafana, to dynamicaly adds permission to user based on AD group?
Lets say user inputs his data including AD group he is in, and the app will create folder, and sets read/edit permissions only to users that are in AD group (that can be any group )?
I know you can set viewer/editor/admin roles to people based on AD group in config file, but is it possible to do so dynamicaly, with their http api?
You can set permissions for folders and permissions for dashboards using the Grafana HTTP API:
Folder Permissions API
Dashboard Permissions API
The logic, what permission should be set for which user, needs to be determined in your code (e.g. based on the user input you mentioned) before making the request.
If we scope the Application access Policy to specific mail enabled group and grant access only to the member of the group there are chances for any userid can be added to the group and leverage full access to the mailbox. What level of security controls can be added to prevent this??
Use the New-ApplicationAccessPolicy cmdlet to restrict or deny access to a specific set of mailboxes by an application that uses APIs (Outlook REST, Microsoft Graph, or Exchange Web Services (EWS)). These policies are complementary to the permission scopes that are declared by the application.
While scope-based resource access like Mail.Read or Calendar.Read is effective to ensure that the application can only read email or events within a mailbox and not do anything else, application access policies allow admins to enforce limits that are based on a list of mailboxes. For example, apps developed for one country shouldn't have access to data from other countries. Or, or a CRM integration application should only access calendars in the Sales organization and no other departments.
Reference: New-ApplicationAccessPolicy (ExchangePowerShell) | Microsoft Docs
Is there a way to include the list of groups a user is a member of inside a Keycloak access token, along with the roles they are in? I've created several groups and mapped them to roles. However, I may have more than 1 group that maps to a particular role. I'd like to be able to make fine-grained authorization decisions so I know that User A is in Role A but also Group B. Is that possible?
Found the answer to this right here. All I had to do was add an additional mapper to my Client. Worked like a charm.
I have configured Keycloak with user self-registration. The keycloak instance will hold users of multiple customers which I plan to put into groups (so each customer can have admins that can manage these users through fine-grained permissions).
To map users that are self-registering to appropriate groups (using their email address, e.g.) I'd like to put them in their default group upon registering. Is this possible using either configuration or implementing an SPI? Or are there other possibilities to achieve a similar behavior?
I am currently working on a project in which there are many threads that users can create. User's have different permissions for the threads that can be specified by users with admin permission. User's need to be added to the thread before they have access to it.
When a user is added to the thread, they are given either read, write or admin permission. Users can also be part of groups. These groups can then be added to a thread in which case, all users in the group will be added along with the permission that is specified for the group.
thread: {id: xxxxx, users:[{id:user01, permission: write, discovery: non}, {id:user02, permission: read, discovery: GroupA}]}
So a user can be added with an individual permission or they can be added with permission given to the group they are a part of. Discovery would specify whether the user was added individually or as a group.
I am wondering if this would be the best method of setting up Mongo for this sort of permission system and also how I would actually define this schema using Mongoose? I think that it would be fastest to have all these aspects embedded into each thread.